Metricon9: Security Visualized – Conveying Metrics and Analytics

As everyone readies themselves for a week of security revelry at the RSA Conference next week in San Francisco, not enough has been said about Metricon9, the annual conference dedicated to security metrics, which takes place on Friday, February 28.

Metricon is an annual conference for security professionals that is hosted by Securitymetrics.org, a community website for security practitioners that focuses on bettering metric and analytics in order to more effectively measure the effectiveness of security efforts.

“Like the movie Moneyball, we’ve been working toward a single score that represents overall security posture – by division, by asset types, by business unit, by overall company, and also control data, etc.- plus the ability to drill down into underlying data for diagnosis” Brocklehurst said.

The challenge of gathering/aggregating, normalizing, tracking, and trending has been significant, not to mention making it visually useful and actionable to non-technical senior executives. To date we have vulnerability, security configuration, and malware defenses, with more security controls to add.

“We’d like to share where we are in this, and some lessons learned from our old days at nCircle with the Benchmark product,” Brocklehurst continued. “Response by customer executives who have seen the early adopter product have been incredibly positive.”

Brocklehurst has been in the network security field for nearly twenty years, and has been a speaker at RSAC, SANS, and the Ponemon Institute, and many more events. Lately she has been focusing on helping organizations connect security with their business through metrics, analytics, and security visualizations to help communicate to non-technical executive teams.

Melancon works with enterprises around the world to help them objectively connect security’s value to the business and establish metrics and methods to enable objective decisions and informed action in information security. He is a highly sought after speaker, and will also be presenting four sessions at RSAC.

The security industry as we experience it today is a fairly young business and is growing into more mature frameworks, processes, and modes of communication. The ability to balance security risk with business demands is more relevant today than ever.

“This talk is about the journey to more sophisticated methods of conveying highly technical information, metrics, and analytics to non-technical executives with a genuine need to know, but who may often have no background or frame of reference to understand the information,” Brocklehurst said. “How to truly communicate the attack surface, threat opportunity, and defenses in place? This is our topic.”

This year’s Metricon9 event is an incredible gathering of brilliant thinkers who work in qualitative and quantitative methods to measure security effectiveness, but Melancon and Brocklehurst believe more can be done to convey those measures to the less technically savvy business class of enterprise leadership.

“Given the rate at which organized and highly professional attacks are succeeding, it becomes more important than ever to be able to truly communicate security status to non-technical professionals at every level in the organization,” Brocklehurst explained. “Strong metrics, analytics, and actionable security visualizations are essential.”

Brocklehurst says everyone needs to better understand that security is not the exclusive domain and responsibility of the IT team, that it’s a shared responsibility for every corporate citizen.

“Defenses for both individuals and businesses must be made more real, understandable, and actionable so that the security risks and business demands can be appropriately calibrated, she said.

“As Tripwire has explored its portfolio of security controls, some underlying truths have surfaced, and we hope to share our journey to these realizations and provide a current look at our progress.”

And be sure to join us at Tripwire’s RSAC Booth (3501) to get your free customized t-shirt printed on the spot, and listen to an array of in-booth guest speakers we have lined up. For the speaking schedule and information on how to obtain a free RSA Expo pass,see more details here.